Skip to content

ci: add permissions: contents: read to test#129

Open
arpitjain099 wants to merge 1 commit into
parcel-bundler:masterfrom
arpitjain099:chore/declare-workflow-perms
Open

ci: add permissions: contents: read to test#129
arpitjain099 wants to merge 1 commit into
parcel-bundler:masterfrom
arpitjain099:chore/declare-workflow-perms

Conversation

@arpitjain099

Copy link
Copy Markdown

This adds an explicit permissions: block to the test workflow so the GitHub-issued token for runs of test.yml is granted only the scopes the job actually uses.

The change is permissions: contents: read at the top level. The workflow checks out the repo and runs its declared steps; there is no git push, no gh release create, no comment-on-PR action, no API write. contents: read is therefore the minimum sufficient scope.

Why bother for a workflow that looks innocuous: the worry is not what this workflow does today, it is what an action used inside it might be coerced into doing tomorrow if a third-party dependency in the action chain is compromised. The CVE-2025-30066 (tj-actions/changed-files, March 2025) incident is the canonical recent example. Without an explicit permissions: block, the run inherits the repository-default token scope, which is permissive on many older repos.

Aligns with GitHub's own token-hardening guidance and OpenSSF Scorecard (Token-Permissions). Standalone diff, no behavior change, YAML re-parses with yaml.safe_load.

Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant